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SYSTEM AND METHOD FOR RULES- 
DRIVEN MULTI-PHASE NETWORK 
VULNERABILITY ASSESSMENT 

TECHNICAL FIELD OF THE INVENTION 

The present invention relates in general to network vul- 
nerability assessment and, more particularly, to a system and 
method for rules-driven multi-phase network vulnerability 
assessment. 

BACKGROUND OF THE INVENTION 

Network vulnerability assessment involves the detection 
of potential unauthorized uses and associated exploits 
(collectively "vulnerabilities") as they relate to computer 
networks, the devices that connect to such networks, and/or 
the subsystems that make up those devices. Network types 
can include, for example, the Internet, FDDI, token ring, etc. 
Devices can include routers, switches, workstations, per- 
sonal computers, printers, and other devices. Subsystems 
can include, for example, hardware types, operating 
systems, application programs, etc. 

Network vulnerability assessment can be highly complex 
because the vulnerabilities in a given network can depend 
upon the version and configuration of the network and upon 
the devices and subsystems coupled to the network. 
Additionally, networks can possess atomic as well as com- 
posite vulnerabilities. An atomic vulnerability can be a 
particular application running on a specific device port, for 
example SMTP. A composite vulnerability can result, among 
other reasons, because of the combination of two particular 
subsystems. For example, an operating system, such as 
WINDOWS NT 3.5, with a collection of certain subordinate 
applications can present composite vulnerabilities. 

Another difiSculty for vulnerability assessment stems 
from the highly dynamic nature of network environments. 
Devices of known or unknown type can be added and 
removed from the network at any time. Additionally, differ- 
ent versions and types of subsystems can be introduced to 
the network. Each change or upgrade includes the potential 
for new or changed vulnerabilities to exist on that network. 

There are a number of conventional systems that attempt 
to assess the vulnerability of computer systems but are 
deficient for a variety of reasons. For example, Computer 
Oracle and Password System (COPS) is designed to probe 
for vulnerabilities on a host system. However, COPS does 
not maintain information across an entire network and can 
predict vulnerabilities only on a single host. Other conven- 
tional systems include System Administrator Tool for Ana- 
lyzing Networks (SATAN Suite) and Internet Security Scan- 
ner (ISS). These products can scan computer systems for 
vulnerabilities by active probing, analyze the collected data 
for vulnerabilities, and display the results. However, several 
disadvantages arc associated with these products. For 
example, data collection and analysis are implemented as a 
single process. Such a methodology creates a prohibitively 
time consuming process. Furthermore, as new vulnerabili- 
ties are discovered or a network is changed, it is not possible 
to recreate a previous network configuration in order to test 
for the newly -discovered potential vulnerabilities. 

Additional problems with conventional systems include 
the fact that the analysis process can take a prohibitive 
amount of computing power as the network grows; as such, 
potential vulnerabilities can be missed. A further problem is 
that such conventional systems scan for live Internet Proto- 
col (IP) addresses on a network; therefore, vulnerabilities 
that exist on services that are not active during a scan can be 
missed. 
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SUMMARY OF THE INVENTION 

In accordance with the present invention, a system and 
method for rules-driven multi-phase network vulnerability 
assessment are disclosed that provide significant advantages 
5 over prior developed systems. 

According to one aspect of the present invention, a 
method for network vulnerabihty assessment includes ping- 
ing devices on a network to discover devices with a con- 
nection to the network. Port scans are then performed on the 
10 discovered devices, and banners are collected as a result of 
the port scans. Information from the collected banners is 
stored as entries in a first database. Analysis is performed on 
the entries in the first database by comparing the entries with 
a rule set to determine potential vulnerabilities. The results 
J 5 of the analysis are then stored in a second database. 

In one embodiment, the method for network vulnerability 
assessment also includes performing host nudges on the 
devices and storing information from data received as 
entries in the first database. In another embodiment, the 
method can include performing active data collection on the 
devices. 

In a further embodiment, the method for network vulner- 
ability assessment can include comparing an entry to a rule 
to determine an operating system represented by the entry. 
The entry and the operating system can then be compared to 
a second rule to determine a service. The entry and the 
service can be compared to a third rule to determine a 
potential vulnerability. 

According to another aspect of the present invention, a 
system is provided for network vulnerability assessment. 

^0 The system includes an execution module operable to ping 
devices on a network to discover devices with a connection 
to the network. The execution module is further operable to 
perform port scans on the discovered devices and collect 
banners sent as a result of the port scans. The execution 

35 module is coupled to a first database and is operable to store 
information from the collected banners as entries in the first 
database. The execution module is also coupled to a mle set 
and is operable to perform analysis of the entries in the first 
database by comparing the entries with the rule set to 

4Q determine potential vulnerabilities. The execution module is 
coupled to a second database for storing results of the 
analysis. 

It is a technical advantage of the present invention that the 
dimensionality of a network can be deduced from the 
45 perspective of its core attributes, such as device types, 
operating systems, services, and potential vulnerabilities. 

It is another technical advantage that a network 
configuration, once discovered, can be retained as a snapshot 
such that multiple rule sets can be run against that single 
50 configuration. 

It is a further technical advantage of the present invention 
that each host potentially connected to the network can be 
identified, and the appropriate vulnerabilities can be 
assessed. 

55 It is also a technical advantage that, once identified, 
potential vulnerabilities can be confirmed. 

It is another technical advantage of the present invention 
that the rule set can be implemented with an ASCII based 
prepositional logic system which allows ease of modifica- 
60 lion and extension. 

Other technical advantages should be apparent to one of 
ordinary skill in the art in view of the specification, claims, 
and drawings. 

g5 BRIEF DESCRIPTION OF THE DRAWINGS 

A more complete understanding of the present invention 
and advantages thereof may be acquired by referring to the 
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following description taken in conjunction with the accom- 
panying drawings, in which like reference numbers indicate 
like features, and wherein: 

FIG. 1 is a block diagram of one embodiment of a network 
environment that includes a system for network vulnerabil- 5 
ity assessment according to the present invention; 

FIG. 2 is a block diagram that includes configuration data 
of one embodiment of a network that includes a system for 
network vulnerability assessment according to the present 
invention; 

FIGS. 3Aand 3B are flow diagrams of one embodiment 
of a method for network vulnerability assessment according 
to the present invention; 

FIG. 4 is a flow diagram of a portion of one embodiment 
of a prepositional logic rule set used network vulnerability 
assessment according to the present invention; and 

FIG. 5 is a block diagram of one embodiment of an 
analysis phase of one embodiment of a method for network 
vulnerability assessment according to the present invention. 20 

DETAILED DESCRIPTION OF THE 
INVENTION 

FIG. 1 is a block diagram of one embodiment of a network 
environment that includes of a system for network vulner- 25 
ability assessment according to the present invention. As 
shown, the network environment can comprise devices that 
form an internal network, protection for the internal 
network, and an external network. 

The internal network, indicated generally at 10, can 30 
comprise a plurality of workstations 12 coupled to a network 
backbone 14. Network backbone 14 can comprise, for 
example, an intranet, FDDI, token ring, or other type of 
network backbone. Protection for internal network 10 can be 
provided by a firewall 16 and router 18 which are coupled 35 
to network backbone 14. Router 18 serves as a gateway 
between internal network 10 and an external network 30. 
External network 30 can be, for example, the Internet or 
other public network. Firewall 16 serves to limit external 
access to resources in internal network 10 and protect these 40 
resources from unauthorized use. Internal network 10 fur- 
ther comprises a network vulnerability assessment (NVA) 
engine 20 coupled to network backbone 14. NVA engine 20 
is coupled to and can communicate with a port database 22, 
a rule set 24, and a datamine database 26. NVA engine 20 45 
can comprise, for example, software code executing on a 
computing device such a SUN or INTEL based workstation. 
Alternatively, NVA engine 20 could be integrated into a 
network device coupled to network backbone 14 such as 
router 18 or firewall 16. Port database 22, rule set 24, and 50 
datamine database 26 can comprise data stored in memory 
or fixed storage on the workstation or other device in which 
NVA engine 20 resides. Alternately, some or all of port 
database 22, rule set 24, and datamine database 26 could 
reside in fixed storage remote from the location of NVA 55 
engine 20. 

In the embodiment of FIG. 1, external network 30 can 
include a second router 32. A second NVA engine 40 can be 
coupled to external network 30 via network connection 34. 
NVA engine 40 is coupled to and communicates with a 60 
second port database 42, a second rule set 44, and a second 
datamine database 46. As shown, an NVA engine can be 
placed inside internal network 10, like NVA engine 20, or 
external to network 10, like NVA engine 40. The different 
placement of NVA engines allows for access to different 65 
devices in internal network 10 and thus the NVA engines can 
make different assessments of internal network 10. 
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In operation, devices such as workstations 12 can com- 
municate over network backbone 14. Workstations 12 can 
further communicate with external network 30 via network 
backbone 14 and router 18. As mentioned above, firewall 16 
is intended to prevent unauthorized access from external 
network 30 to devices coupled to internal network 10. 
However, firewall 16 is not capable of preventing all unau- 
thorized access. 

According to the present invention, NVA engine 20 is 
operable to perform network vulnerability assessment. In 
general, this assessment is "multi-phase" in that it can be 
carried out in multiple steps or phases. Furthermore, the 
assessment is "rules driven" in that network configuration 
information can be processed by rule sets to assess vulner- 
abilities. An initial phase of the assessment can be a dis- 
covery phase. NVA engine 20 is operable to ping devices 
coupled to network backbone 14 in order to identify all such 
devices or systems that are so coupled. Such an operation 
can be called "host discovery." 

Another phase of the assessment can be a data collection 
phase. NVA engine 20 can, for example, perform port scans 
on each device coupled to network backbone 14. NVA 
engine 20 can further receive banners from the scanned 
ports. For example, NVA engine 20 could open a connection 
to a port on workstation 12 and receive a telnet banner from 
that port of workstation 12. NVA engine 20 can use such 
banner information to create and to maintain port database 
22. For example, in internal network 10, port database 22 
can include entries for each port that is available through 
router 18, firewall 16, and each of workstations 12. NVA 
engine 20 can continue the data collection phase by per- 
forming host nudges and/or active exploits on devices 
coupled to network backbone 14 in order to ascertain 
configuration data of each device and port. A host nudge is 
generally a non-invasive command that can be used to create 
the equivalent of a port banner. Examples of host nudges can 
be "showmount -e", "rpcinfo", or "GET/" (on HTTP port). 
An example of an active exploit could comprise, for 
example, executing commands against a known service or 
sending data to an active port. Once established, port data- 
base 22 can comprise, for example, a snapshot of network 10 
at a given point in time. 

NVA engine 20 can then execute an analysis phase of the 
assessment by applying rule set 24 to port database 22 and 
creating datamine database 26. The operation of the analysis 
phase can comprise, for example, the methodology showD in 
and described with respect to FIGS. 3B and 4. After this 
process, datamine database 26 can include potential vulner- 
abilities identified by NVA engine 20. Additionally, data- 
mine database 26 can comprise a multi-dimensional data- 
base that includes dimensions based upon the 
dimensionality of the internal network 10. NVA engine 20 
can further perform active exploits on internal network 10 in 
order to confirm the potential vulnerabilities identified in 
datamine database 26. 

NVA engine 40 is operable to perform a similar vulner- 
ability assessment function as NVA engine 20. However, 
NVA engine 40 is placed outside of internal network 10 and 
is external to router 18 and firewall 16. Such a placement can 
prevent NVA engine 40 from identifying potential vulner- 
abilities of internal network 10 because firewall 16 may 
prevent NVA engine 40 from gaining access to network 10. 
However, this placement gives NVA engine 40 a better view 
of devices on external network 30. Additionally, NVA 
engine 40 may be able to make a vulnerability assessment of 
router 18, wherein NVA engine 20 may be prevented from 
doing so because of firewall 16. 
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In implementation, NVA engines 20 and 40 can comprise 
executable software code residing on a computing platform. 
For example, NVA engines 20 and 40 cotild comprise 
executable code running on a PENTIUM PRO or SUN 
. SPARC platform with a SOLARIS X86 V2.5x or V2,6 s 
operating system. Rule set 24 can be implemented as a text 
based (e.g., ASCII) language based upon prepositional logic. 
Such an implementation of rule set 24 has a technical 
advantage in that as new assessment capabilities are 
introduced, new rule sets 24 can be added to the system 
without the need to develop new software code for NVA 
engines 20 and 40. Such an implementation can also allow 
for efficient debugging of rule set 24, as it is human readable. 

FIG. 2 is a block diagram that includes configuration data 
of one embodiment of a network that includes a system for 
network vulnerability assessment according to the present 
invention. This diagram also shows the dimensionality of the 
network and its devices in terms of: device types, operating 
systems, services, and potential vulnerabilities. Internal net- 
work 10 of FIG. 2 comprises numerous devices including 
router 18, firewall 16, web server 50, workstations 52, 56, 
60, and 62, file server 54, printer 64, and terminal server 58. 
Each of these devices is coupled to network backbone 14. 
Similar to FIG. 1, NVA engine 20 is coupled to network 
backbone 14 and is coupled to and in communication with 
port database 22, rule set 24, and datamine database 26. 

In operation, NVA engine 20 is operable to perform a 
network vulnerability assessment of internal network 10. 
The assessment can include, as discussed with respect to 
FIG. 1, a discovery phase and data collection phase. By 30 
executing such processes, NVA engine 20 can identify the 
configuration of internal network 10 and uncover the various 
dimensions within internal network 10. For example, in the 
embodiment of FIG. 2, NVA engine 20 can identify the 
device type 70 of each device or system coupled to internal 35 
network 10. NVA engine 20 can further identify the oper- 
ating system 74 of each device and the services 78 available 
on each device. Such data can be incorporated into port 
database 22, for example, as entries populating fields of port 
database 22. 40 

The potential vulnerabilities 80 can also be identified by 
NVA engine 20. For example, the potential vulnerabilities 80 
shown in the embodiment of FIG. 2 can be the potential 
vulnerabilities inherent to the services 78 and operating 
system 74 of each device 70. In order to identify a particular 45 
potential vulnerability 80 on a particular device 70, NVA 
engine 20 can apply rule set 24 to port database 22. As 
discussed with respect to FIG. 1, such a process can be an 
analysis phase of the network vulnerability assessment. This 
assumes, of course, that router 18 and firewall 16 allow 50 
access to telnet service 78 from external network 30. After 
application of the rule set 24, NVA engine 20 can create 
datamine database 26 from the resulting data, and datamine 
database 26 can include potential vulnerabilities in internal 
network 10. NVA engine 20 can further perform active ss 
exploits on network 10 to confirm the identified potential 
vulnerabilities. 

FIGS. 3Aand 3B arc flow diagrams of one embodiment 
of a method for network vulnerability assessment according 
to the present invention. Such a method can be executed, for 60 
example, by NVA engine 20 of FIG. 2. At step 90, host 
discovery is performed. Host discovery can include, for 
example, pinging devices on a network in order to determine 
devices which are coupled to the network. At step 92, 
passive data collection is performed. For example, this can 65 
include collecting sign-on banners from active ports on a 
device. An example of a sign-on banner can be, for example. 
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a telnet barrier at a TCP port. Further examples of sign-on 
banners collected during this step, as shown in FIG. 3A, are 
a Sendmail 5.6 banner collected from port 25 and a POP 
banner collected from port 110. This data collection activity 
can be "read only" activity and does not require interaction 
with an entity beyond opening a port. In this manner, it is 
"passive." 

Next at step 94, a preliminary analysis is performed. This 
analysis can include determining that a host nudge step 96 
and/or an active exploit step 98 are necessary. For example, 
at step 94, it can be determined if each host discovered in 
step 90 responded to the port scan of step 92. At step 96, a 
host nudge is performed, and at step 98, active exploits are 
performed. A host nudge can comprise, for example, "show- 
mount -e", "rpcinfo", or "GET /I" (on HTTP port). An 
example of an active exploit could comprise, for example, 
executing commands against a known service or sending 
data to an active port. Host nudge step 96 and active exploits 
step 98 are performed to further identify the complete 
configuration of the network upon which the vulnerability 
analysis is performed. 

The information produced by steps 90, 92, 96, and 98 are 
then stored in a port database 22, for example, as entities in 
database fields. Port database 22 can thus provide a snapshot 
of the network at a given point in time. 

In the embodiment of FIG. 3A, the host discovery at step 
90 can be considered the discovery phase of the network 
vulnerability assessment. Steps 92, 94, 96 and 98 can 
collectively be considered the data collection phase. After 
the creation of port database 22, an analysis phase can be 
performed, one embodiment of which is shown in FIG. 3B. 

FIG. 3B is a flow diagram of one embodiment of an 
analysis phase of the method for network vulnerability 
assessment according to the present invention. In the 
embodiment of FIG. 3B, port database 22 includes entries 
that comprise information coUected in previous phases of 
the assessment. For example, entry 100 of port database 22 
can include information from a collected banner. Rule set 24 
can then be used to process port database 22. Rule set 24 can 
include rule parsing algorithm 99, operating system rules 
102, service mles 104, and vulnerability rules 106. Rule set 
24 can support incremental discrimination of type such that 
as rule parsing algorithm 99 is applied, for example, to entry 
100 of port database 22, type discriminations 101 can be 
determined. Rule set 24 can include, for example, a dis- 
criminator language based on prepositional logic that con- 
forms to a Baccus Noir Form. 

In operation, rule set 24 can be applied to each entry 100, 
and rule parsing algorithm 99 can be used to determine type 
discriminations 101 from entry 100. In the embodiment of 
FIG. 3B, three type discriminations 101 are derived from the 
example entry 100: operating system type, service type, and 
vulnerability type. First, rule set 24 can apply operating 
system rules 102 to entry 100. In the example of FIG. 3B, 
the discriminated operating system type 103 is SOLARIS. 
Rule parsing algorithm 99 can then take the operating 
system type 103 and further apply service rules 104 to entry 
100 to determine the service type 105. In the example of 
FIG. 3B, rule parsing algorithm 99 can determine that with 
a SOLARIS operating system and information from entry 
100, the service type 105 is SMTP. Rule parsing algorithm 
99 can next be used with vuhierabilities rules 106 to deter- 
mine that, with a SOLARIS operating system, an SMTP 
service, and information from entry 100, one potential 
vulnerability 107 is Sendmail Overflow. 

The embodiment of the analysis phase shown in FIG. 3B 
highlights a hierarchical natiu-e of rule set 24. Such an 
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implementation provides a technical advantage in that it 
allows for rapid incremental discrimination of type of large 
amounts of data. Tlierefore, a device implementing the 
present methodology using such a rule set can quickly and 
cflBciently assess the vulnerabilities of a network. 

FIG. 4 is a flow diagram of a portion of one embodiment 
of a prepositional logic rule set used in network vulnerability 
assessment according to the present invention. As discussed 
above, port database 22 can include entries 100 which 
include configuration information such as banners received 
in the host discovery phase. In the embodiment of FIG. 4, 
rule set 24 comprises prepositional logic elements 111, 115, 
and 119. Type discriminations 101, as discussed above, can 
then be determined from the application of rule set 24 to 
entries 100 in port database 22. 

In operation, entry 100 in port database 22 can initially 
include banner 110. Prepositional logic element 111 can be 
applied to entry 110 to determine a type discrimination 101 
of "SOLARIS 2.x" operating system. Similarly, the ele- 
ments 115 and 119 of rule set 24 of FIG. 4 can further be 
applied to entries 114 and 118 to determine the type dis- 
crimination 49 of "FTP active" service and a "Sendmail 
Overflow"* potential vulnerability. 

As shown in FIG. 4, rule set 24 can be expressed in an 
ASCII based prepositional logic language. In operation, 
NVA engine 20 can apply a given rule set 24 to port database 
22. If desired, rule set 24 can be exchanged with a new rule 
set. It is an advantage that such an exchange can be 
implemented without additional compilation of the NVA 
engine or other executable portion of the system. Further, 
rule set 24 can be extended to add custom rules needed by 
a particular network operator. 

FIG. 5 is a block diagram of one embodiment of an 
analysis phase of a method for network vulnerability assess- 
ment according to the present invention. In the embodiment 
of FIG. 5, multiple mle sets 24 and 124 are applied to port 
database 22 to generate two datamine databases 26 and 126. 
For example, port database 22 can represent a snapshot of a 
network at a given point in time. Rule set 24 can be applied 
to port database 22, and datamine database 26 can be 
created. Datamine database 26 can then include potential 
vulnerabilities of the network as represented by port data- 
base 22 and as analyzed using rule set 24. The assessment, 
however, is somewhat dependent upon rule set 24. If new, 
previously unknown potential vulnerabilities are discovered 
or if corrections to rule set 24 are needed, then a new rule 
set 124 can be created. This secood rule set 124 can be 
applied to the same port database 22 to create a second 
datamine database 126 including a new representation of 
network vulnerabilities. It is a technical advantage of the 
present invention that a snapshot of a network at a given 
point in time can be stored by port database 22 and that 
different vulnerability assessments can be performed on that 
snapshot using different rule sets. This advantage leads to 
more efficient debugging of rule sets as weU as to more 
adaptive vulnerability assessment. 

Although described in terms of discrete "phases", those 
skilled in the art will recognize that the method and system 
of network vulnerability assessment of the present invention 
can also comprise an iterative process. For example, during 
the analysis phase it can be determined that blocks of 
configuration data in the port database are missing, and thus 
the system can return to the discovery phase to perform 
some further data gathering. Additionafly, the present inven- 
tion can streamline the network vulnerability assessment by 
recognizing common network configurations. For example, 
most detection (i.e., discovery of the OS and service of each 
device) can be performed by gathering information, for 
example by a regex, from ports 21, 23, and 25 on a device. 
Much of the remaining needed information can be gathered 
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with a PERL regex to capture version information. There 
are, however, instances of specific configurations that can 
require specific knowledge in order to determine the con- 
figuration. For example, SGI can run IRIX operating system. 
5 Therefore, if SGI responds at port 25 on a device, the 
operating system could be IRIX. However, SGI may support 
other operating systems, so the determination of an IRIX 
operating system should only be made as a default — if no 
other operating system can be determined. Such a specific 
hierarchy of analysis can be performed by the rule set driven 
analysis, as discussed with respect to FIGS. 3 A, 3B, 4, and 
5. 

Another embodiment of the present invention can include 
an active analysis phase for the purpose of confirming the 
potential vulnerabilities identified by the network vulner- 
ability assessment. Such a phase can comprise active 
exploits performed on the network against particular 
devices, services, or ports. Such an activity can be per- 
formed in real-time and thus it may be necessary to include 
a real-time data feed function into the datamine database. 

20 For example, such real time data insertion is described in 
U.S. patent apphcation Ser. No. 09/107,790, entitled "Sys- 
tem and Method for Real-Time Insertion of Data Into a 
Multi-Dimensional Database for Network Intrusion Detec- 
tion and Vulnerability Assessment", pending, the disclosure 

25 of which is incorporated herein by reference. 

Although the present invention has been described in 
detail, it should be understood that various changes, substi- 
tutions and alterations can be made thereto without depart- 
ing from the spirit and scope of the invention as defined by 

30 the appended claims. 
What is claimed is: 

1. A computer implemented method for multi-phase mles- 
driven network vulnerability assessment, the method com- 
prising: 

35 pinging devices on a network to discover devices with a 
connection to the network; 
performing port scans on the discovered devices and 

collecting banners sent as a result of the port scans; 
storing information from the collected banners as entries 
40 in a first database to establish a network configuration; 
comparing the entries in the network configuration with 
more than one rule set to determine potential vulner- 
abilities; and 

storing results of the comparison in a second database. 
45 2. The method of claim 1, further comprising performing 
host nudges on the devices and storing information from 
data received as entries in the first database. 

3. ITie method of claim 1, further comprising performing 
active data collection and storing information from data 

50 received as entries in the first database. 

4. The method of claim 1, wherein comparing comprises: 
comparing an entry in the network configuration to a rule 

to determine an operating system represented by the 
entry; 

55 comparing the entry to a second rule to determine a 
service; and 

comparing the entry to a third rule to determine a potential 
vulnerability. 

5. ITie method of claim 1, wherein the rule sets comprise 
60 a text based prepositional logic language. 

6. The method of claim 1, further comprising confirming 
a potential vulnerability by performing an active exploit. 

7. A system for multi-phase rules-driven network vulner- 
ability assessment, the system comprising: 

65 a first database for storing information from collected 
banners as entries; 
a plurality of rule sets; 
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a second database for storing results of a comparison; and 

an execution module coupled to the first database, the rule 
set, and the second database, the execution module 
operable to ping devices on a network to discover 
devices with a connection to the network, the execution s 
module further operable to perform port scans on the 
discovered device and collect banners sent as a result of 
the port scans; 

the execution module operable to store information from 
the collected entries in the first database to establish a 
network configuration and compare the entries in the 
network configuration with more than one rule set to 
determine potential vulnerabilities; 

the execution module operable to store results of the 
comparision in the second database. 

8. The system of claim 7, wherein the execution module 
is further operable to perfomi host nudges on the devices and 
store information from data received as entries in the first 
database. 

9. The system of claim 7, wherein the execution module 
is further operable to perform active data collection and 
store information from data received as entries in the first 
database. 

10. The system of claim 7, wherein the execution module 
is operable to: 

compare an entry in the network configuration to a rule to 25 
determine an operating system represented by the 
entry; 

compare the entry to a second rule to determine a service; 
and 

compare the entry to a third rule to determine a potential 
vulnerability. 

11. The system of claim 7, wherein the rule sets comprise 
a text based prepositional logic language. 

12. The system or claim 7, wherein the execution module 

is further operable to confirm a potential vulnerability by 35 
performing an active exploit. 

13. A computer implemented method for multiphase 
rules-driven network vulnerabiUty assessment, the method 
comprising: 

pinging devices on a network to discover devices with a 40 

connection to the networic; 
performing port scans on the discovered devices and 

collecting banners sent as a result of the port scans; 
storing information from the collected banners as entries 

in a first database to establish a network configuration; ^5 
comparing an entry in the first database to a rule to 

determine an operating system represented by the 

entry; 

comparing the entry to a second rule to determine a 
service; 

comparing the entry to a third rule to determine a potential 
vulnerability; and 

storing results of the comparing steps in a second data- 
base. 

14. The method of claim 13, further comprising perform- 
ing host nudges on the devices and storing information from 
data received as entries in the first database. 

15. The method of claim 13, further comprising perform- 
ing active data collection and storing information from data 
received as entries in the first database. 

16. The method of claim 13, wherein the rules comprise 
an ASCII based prepositional logic language. 

17. The method of claim 13, further comprising confirm- 
ing a potential vulnerability by performing an active exploit. 

18. Logic encoded in media for multi-phase rules-driven 65 
network vulnerability assessment and operable to perform 
the following steps: 
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pinging devices on a network to discover devices with a 
connection to the network; 

performing port scans on the discovered devices and 
collecting banners sent as a result of the port scans; 

storing information from the collected banners as entries 
in a first database to establish a network configuration; 

comparing the entries in the network configuration with 
more than one rule set to detemine potential vulner- 
abilities; and 

storing results of the comparison in a second database. 

19. The logic of claim 18, further comprising the step of 
performing host nudges on the devices and storing informa- 
tion from data received as entries in the first database. 

20. The logic of claim 18, further comprising the step of 
performing active data collection and storing information 
from data received as entries in the first database. 

21. The logic of claim 18, wherein comparing comprises: 
comparing an entry in the network configuration to a rule 

to determine an operating system represented by the 
entry; 

comparing the entry to a second rule to determine a 
service; and 

comparing the entry to a third rule to determine a potential 
vulnerability. 

22. The logic of claim 18, further comprising the step of 
confirming a potential vukierability by performing an active 
exploit. 

23. An apparatus for multi -phase rules-driven network 
vulnerability assessment comprising: 

means for pinging devices on a network to discover 
devices with a connection to the network; 

means for performing port scans on the discovered 
devices and collecting banners sent as a result of the 
port scans; 

means for storing information firom the collected banners 
as entries in a first database to establish a network 
configuration; 

means for comparing the entries in the network configu- 
ration with more than one rule set to determine poten- 
tial vulnerabilities; and 

means for storing results of the comparison in a second 
database. 

24. The apparatus of claim 23, further comprising means 
for performing host nudges on the devices and storing 
information from data received as entries in the first data- 
base. 

25. The apparatus of claim 23, further comprising means 
for performing active data collection and storing information 
from data received as entries in the first database, 

26. The apparatus of claim 23, wherein means for com- 
paring comprises: 

means for comparing an entry in the network configura- 
tion to a rule to determine an operating system repre- 
sented by the entry; 

means for comparing the entry to a second rule to deter- 
mine a service; and 

means for comparing the entry to a third rule to determine 
a potential vulnerability, 

27. The apparatus of claim 23, further comprising means 
for confirming a potential vulnerability by performing an 
active exploit. 

♦ ♦ * ♦ ♦ 
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